Rog attack

ROP Its full name is Return-oriented Programming（ Return oriented programming ） It is a new attack based on code reuse technology , An attacker extracts instruction fragments from an existing library or executable , Build malicious code .

ROP The attack is the same as the buffer overflow attack , Format string vulnerability attacks are different , It's a new way to attack , It uses code reuse technology .

ROP The core idea of ： The attacker scans the existing Dynamic link library And executables , Extract the available instruction fragments (gadget), These instruction fragments are written in ret End of instruction , The box ret Instruction implements the connection of instruction fragment execution flow . The operating system calls and returns functions through the stack . The call and return of functions are realized by pressing and out of the stack . Each program maintains a program run stack , The stack is shared by all functions , Every function call , The system will assign a stack frame to the currently called function , For parameter passing 、 Maintenance of local variables 、 Fill in the return address, etc . Stack frame is a part of the program running stack , stay Linux in , adopt %esp and %ebp The register maintains the top pointer of the stack and the starting address of the stack frame ,%eip yes Program counter register  [1]  . and ROP The attack is to use ret Program fragment at the end , Operate on these stack related registers , The flow of control procedures , Execute corresponding gadget, Implement the attacker's preset target .ROP differ retum-to-libc The point of attack is ,ROP Attack with ret The function code fragment at the end of the instruction , Instead of the whole function itself to complete the predetermined operation . In a broad sense ,return-to-libc The attack was ROP Special case of attack . first ROP The attack is implemented in x86 Architecture , Then extended to various architectures .. Different from previous attack techniques ,ROP The malicious code does not contain any instructions , Hide your malicious code in normal code . thus , It can bypass W⊕X Our defense technology .

ROP It also has its internal characteristics different from normal procedures ：

(1)ROP In the control flow ,call and ret Instructions do not manipulate functions , Instead, it is used to string the execution streams of short instruction sequences in the function , But in normal procedures ,call and ret Represent the beginning and end of the function respectively ;

(2)ROP In the control flow ,jmp Instructions jump between different library functions or even between different libraries , The instruction sequence extracted by the attacker may be taken from any location of any binary file , This is very different from the execution of normal programs . such as , Extracted from the middle of the function jmp Short instruction sequence , You can turn the control flow to the interior of other functions ; And when the normal program is executed ,jmp Instructions usually jump inside the same function .

ROP Prevention of attack ：ROP The attack program mainly uses the vulnerability of stack overflow , Realize the hijacking of program control flow . Therefore, the protection of stack overflow vulnerability is to block ROP The most fundamental way to attack . If the stack overflow problem is solved ,ROP Attacks will be largely suppressed .